Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Overview

To consistently enforce user-based policies across both cloud-based and on-premises environments, it's essential to redistribute User-ID mappings between Prisma Access and on-premises firewalls. This ensures that user identity information is available where needed for policy enforcement.

Redistribution Scenarios

1. From Prisma Access to On-Premises Firewall

When mobile users connect through Prisma Access and need to access resources protected by on-premises firewalls, their User-ID mappings must be redistributed to those firewalls.

sequenceDiagram participant User participant PrismaAccess participant OnPremFW User->>PrismaAccess: Connects PrismaAccess->>PrismaAccess: Collects User-ID Mapping PrismaAccess->>OnPremFW: Redistributes User-ID Mapping

2. From On-Premises Firewall to Prisma Access

When users authenticated through on-premises firewalls need to access resources via Prisma Access, their User-ID mappings must be redistributed to Prisma Access.

sequenceDiagram participant User participant OnPremFW participant PrismaAccess User->>OnPremFW: Connects OnPremFW->>OnPremFW: Collects User-ID Mapping OnPremFW->>PrismaAccess: Redistributes User-ID Mapping

Configuration Steps

A. Redistribute from Prisma Access to On-Premises Firewall

  1. Configure Prisma Access as a User-ID Agent:
    • In Panorama, navigate to Device > Data Redistribution > Collector Settings .
    • Select the appropriate template (e.g., Service_Conn_Template ).
    • Click the gear icon to edit settings.
    • Provide a Collector Name and Pre-Shared Key.
    • Click OK to save changes.
  2. Configure On-Premises Firewall to Collect User-ID Mapping:
    • Navigate to Device > Data Redistribution > Agents .
    • Add a new User-ID Agent with the following details:
      • Host: User-ID Agent Address from Prisma Access.
      • Port: Typically 5007.
      • Collector Name and Pre-Shared Key: Match the values configured in Prisma Access.
    • Click OK to save the configuration.

B. Redistribute from On-Premises Firewall to Prisma Access

  1. Configure On-Premises Firewall as a User-ID Agent:
    • Navigate to Device > Data Redistribution > Collector Settings .
    • Click the gear icon to edit settings.
    • Provide a Collector Name and Pre-Shared Key.
    • Click OK to save changes.
  2. Configure Prisma Access to Collect User-ID Mapping:
    • In Panorama, navigate to Device > Data Redistribution > Agents .
    • Select the appropriate template (e.g., Remote_Network_Template ).
    • Add a new User-ID Agent with the following details:
      • Host: IP address of the on-premises firewall's MGT interface or service route.
      • Port: Typically 5007.
      • Collector Name and Pre-Shared Key: Match the values configured in the on-premises firewall.
    • Click OK to save the configuration.

References